A Kerberos-Based Authentication Architecture for Wireless Lans

A Kerberos-Based Authentication Architecture for Wireless Lans

A Kerberos-Based Authentication Architecture for Wireless LANs Mohamed Ali Kaafar1, Lamia Benazzouz1, Farouk Kamoun1, and Davor Males2 1 Ecole Nationale des Seiences de l'lnformatique, Universitt~ de la Manouba. Tunisia {Medali.kaafar, Lamia.benazzouz, Farouk.kamoun}@ensi.rnu.tn 2 Laboratoire d'lnformatique de Paris 6 Universite Pierreet Marie Curie 8, rue du capitaine Scott 75015 Paris. France [email protected] Abstract. This work addresses the issues re1ated to authentication in wireless LAN environments, with emphasis on the IEEE 802.11 standard. lt proposes an authentication architecture for Wireless networks. This architecture called Wireless Kerberos (W-Kerberos), is based on the Kerberos authentication server and the IEEE 802.1X-EAP mode1, in order to satisfy both security and mobility needs. lt then, provides a mean of protecting the network, assuring mutual authentication, thwarts cryptographic attack risks via a key refreshment mechanism and manages fast and secure Handovers between access points. 1 Introduction Over recent years, wire1ess communication has enjoyed enormous growth, becoming popular in botb public and private sectors. Wireless Local Area Network (WLAN) technology is capable of offering instant, high-speed and mobile connectivity. While this technology offers a Iot of advantages, it does also introduce issues related to authentication, access control, confidentiality and data integrity. Today, wireless products are being developed that do not address all of the security services related to this technology. Although the IEEE 802.lli framework is proposing a "Robust Security Nework" architecture (RSN) to deal with the security wireless networks limitations, actually there is not a complete set of standards available that solves all the issues related to Wireless security [1]. While the Kerberos approach has been proposed as a standard for enhanced security in IEEE TGe [2], currently there is no valid proposals using a Kerberos-like mechanism to provide authentication in a WLAN environment, preventing from cryptographic attacks and handling fast and secure handovers. In this paper, we propose a mobility aware authentication architecture for the IEEE 802.11 networks, based on the IEEE 802.lli works and exploiting the Kerberos protocol to overcome the RSN limitations and provide a global framework. We first begin by introducing the Kerberos protocol, and concepts related to the RSN architecture such as the EAP- 802.1X model. This is followed by a description of the proposed architecture (called N. Mitrou et al. (Eds.): NETWORKING 2004, LNCS 3042, pp. 1344-1353, 2004. © IFIP International Federation for Infonnation Processing 2004 A Kerberos-Based Authentication Architecture for Wireless LANs 1345 W-Kerberos) and the authentication process. Next, we describe the implementation of the system and conclude with perspectives of this work. 2 The Kerberos Protocol The following subsections present the Kerberos protocol and the authentication process in a Kerberos-based system. 2.1 Presentation Kerberos was developed as an open software at the Massachusetts Institute of Technology (MIT) as part of its Athena project [3]. Since its version 4, Kerberos is under the IETF Common Authentication Technology Warking Group responsibility[ 4]. The Kerberos architecture defines three entities: the client wanting to reach resources of a certain server, the service supplier or server, and the authentication Kerberos server. The latter is based on two distinct logical entities: An AS server (Authentication Server), responsible for the identification of clients, and a TGS server (Ticket Granting Service) which provides clients with access authorizations on the basis of an AS identification. These two entities are regrouped under the name of KDC to mean Key Distribution Center [5]. 2.2 The Kerberos Authentication Process The Kerberos authentication takes place in a set of steps as shown in Figure 1 and described below: 1. Before the client attempts to use any service of the network, he must be authenticated by a Kerberos Authentication Server AS. This authentication consists in an initial ticket request: Ticket Granting Ticket (TGT). The TGT is used subsequently to get credentials for several services. 2. When the client wants to communicate with a particular server, he sends a request to the TGS asking for credentials for this server. The TGS answers with these credentials encrypted by the user's key. The credentials consist of a temporary session key Sk and a ticket for the service supplier called Service Ticket ST, containing the identity of the client and the session key, all of them encoded with the server's key. 3. The client, wanting to reach a server's ressources, transmits the ticket to this server. 4. The session key, now shared by the client and the server, can be used to encrypt the next communications. 1346 M.A. Käafar et al. TGT Request (1) TGT(l) • u ... LJ ST Request (2) ... ST andSK (2) •EJ ST (3) D ·1Server I Fig. 1. Kerberos service ticket request. 3 W-KERBEROS or Kerberos for the 802.11 Networks The proposed authentication process is based on tickets delivered by a W-Kerberos server. These tickets are going to direct the access points either to allow or not the traffic of a particular client. In the same way, it exploits the notion of dual ports of the IEEE 802.1X framework and the Extensible Authentication Protocol. We present in the following the IEEE 802.1X framework as a pillar of the IEEE 802.lli architecture, and the EAP protocol as a generic authentication methods transporter. W e describe then the proposed Kerberos authentication architecture called Wireless Kerberos: W-Kerberos. 3.1 The IEEE 802.1X Framework The IEEEstandard 802.1X [7] defines a port-based network access control using the physical characteristics of LAN (IEEE 802) infrastructures. This can be used to authenticate and authorize network access to certain physical devices. This access control is performed at the data link layer. The IEEE 802.1X standard abstracts three entities (Figure 2). • The supplicant: that wishes to access services, usually the client. • The authenticator: which is the entity that wishes to enforce authentication before allowing access to its services, usually within the device the supplicant connects to. • The authentication server: which the role is to authenticate supplicants on behalf of the authenticator. The IEEE 802.1X framework does not specify one particular authentication mechanism; it rather uses the Extensible Authentication Protocol (EAP) [8] as its authentication framework. EAP is a protocol that supports exchange of information for multiple authentication mechanisms. The authenticator is responsible for relaying this information between the supplicant and the authentication server. A Kerberos-Based Authentication Architecture for Wireless LANs 1347 Authenticator System I 1------------------------------~- I : Services off:red by : : the authentlcator : : system 1 : Authorize I : Uncontrolled 1 Controlled Port Unauthorize : : ) ·---------------------- Port 1 I Fig. 2. The IEEE 802.1X Setup The authenticator's port-based access control defines two logical ports via a single physical LAN port. These are controlled and uncontrolled ports. The uncontrolled port allows uncontrolled exchange (typically information for the authentication mechanism) between the authenticator and other entities on the LAN, irrespective of the authentication state of the system. Any other exchange between the supplicant and servers takes place via the controlled port. 3.2 The W-Kerberos Architecture The W-Kerberos system is composed of three main entities: • The client trying to have access to the network. • The access points considered as the Kerberos service suppliers, affering the service of access to the network. •The W-Kerberos server allowing identification, tickets transmission, key refreshment and secured Handovers. In this architecture, the authentication process takes place only once for the user. The principle of "Single Sign-on ", a principle according to which the user identifies hirnself only one time to the network to reach its different resources is applied. This transparency provides both security and convenience which palliates to certain EAP methods limitations, such as certificate-based methods [9]. Moreover, Mobility, a major asset in the Wireless networks, is handled by the proposed architecture. In fact, the authentication of the Handover phase, during which a dient terminal should associate to a new access point, takes place without the exchange of any security context between access points and avoids an initialisation of the authentication process. 1348 M.A. Kaafar et al. 4 The Authentication Process In the following subsections, we will describe the three main phases of the W­ Kerberos authentication process: the initial authentication, the key refreshment or re­ authentication and the Handover phase. 4.1 The Initial Authentication This phase is typically initiated by the dient terminal, which achieved a 802.11 association. In a frrst step, the dient, receiving an EAP Request Identity from the access point, sends an EAP Response message, encapsulating an initial Service Ticket request (KRB-AS-REQ). The key used to encode the KRB messages is shared between the client and the Kerberos server and derived from the password provided by the dient1. Client AP W-Kerberos EAP-ReQuest Identitv ~----------------------- AP blocks all traffic until EAP-Response KRB receivinl! ticket -----------------------~

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    10 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us